One of the challenges of hosting your own site and using WordPress is security. As WP has gotten more and more popular, it has become a huge target for hackers of all sorts. I’ve had my own fair share of old installations getting hacked and causing problems for live sites, rogue files, brute force login attempts that create a denial of service, DOS attacks against XMLRPC, and so on over the years.
Recently, I came across a mention of a security plugin called Wordfence and decided to try it out. It scans your install for any changes made to the WordPress core, theme and plugin files by comparing them to the original from the WordPress codex. Sure enough, for the couple of placers where I had made some customizations, it noted those as changed files and warned me about them. It then let me mark those as safe to ignore, provided they don’t change again, which is nice. I’m always nervous when a security app allows the user to set it to ignore a file, and then that’s the file that gets corrupted, and it continues to ignore it. It even warned me about a corrupt file that I had missed about 8 folders deep when I was cleaning up that infection last year, so that’s also nice!
Eventually though, I got everything cleaned up and verified with one more scan!
comments, Plugin, Security, Wordpress
I was doing a little light reading last night, about the latest scourge of iCloud attacks, wherein a hacker gets access to your iCloud account, and using the Find my iPhone service, puts your device in “lost mode” and sets up a PIN to lock you out of your own device until you pay the ransom.
It’s brilliant in it’s simplicity, gaining access to a cloud service that is used to protect your data, and using it’s own tools against you.
As I continued reading about the theories about how the hacker was gaining access to the iCloud accounts, and ways to protect yourself from this kind of attack, this bit jumped out at me. I almost spilled my drink.
iPhones and iPads that have a PIN don’t present the attacker with the ability to set their own. That screen earlier on where I remotely locked the device is only presented when it doesn’t already have a PIN so that immediately thwarts this attack. Even if the device is just for the kids, if you connect it to iCloud, put a PIN on it (don’t worry about it making life hard for them, kids have an uncanny ability to access a device protected by nothing more than four numbers).
What the hell people? Ask anyone about losing their phone and they’ll likely tell you about how awful that would be, how it has “their whole life on there”, but they still walk around without even the simplest of security turned on? Really, is the 2 seconds it takes to enter a PIN too much effort? C’mon we have to be better than that. If you don’t have a PIN on your iPhone or iPad please go check out how to enable one. The next time you leave your device somewhere, or set it down in a crowded room/bar/restaurant/etc. you’ll be glad for that meager bit of protection from prying finger tips.Tags: iPad, iPhone, Security
If you’re not familiar with TrueCrypt, it a free utility that you can use to encrypt your data. I’ve used it for years, lots of people in the eDiscovery world have used it for years, among many other tech professionals, and I would imagine they continue to use it.
Given the large user base, and the nature of the tool to begin with, the current state of affairs is a huge concern. As ArsTechnica explains:
One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn’t safe to use.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” text in red at the top of TrueCrypt page on SourceForge states. The page continues: “This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
So has the site been hacked? Is this a hoax? Are they really suggesting that everyone should stop using their software with no further comment or explanation? Who knows? It certainly bears watching for those of us who’ve been using it!Tags: eDiscovery, Microsoft, Security